MaXe wrote:It's when there's a compromise of security, that you should change your password.

That's assuming the compromise is detected

True. But if it is not detected, then the attacker most likely has a backdoor, meaning that changing your password is pointless since he or she can just download the database, modify the encryption scheme, or backdoor the login function for that sake, so your password is sent in clear text to the attacker, and in this case HTTPS and HTTP does not matter at all, since the passwords can just be stored in a default looking file on the server. (The last attack has been seen before.)

If the compromise isn't detected, there's no remediation of the risk, caused by an "agent" and a vulnerability in other words.

I still change my passwords. It gives me the warm fuzzy. I know it's delusional but I tell myself that most of the time when a site is compromised they harvest the accounts and never re-query the user base with the assumption that the passwords are not changing unless a compromise is announced. That and I never re-use passwords. I could not function without password vaults.

I would think it has been, Most black hats do not like the idea of white hats. It would give them more of a trill knowing that they have hacked into a white hat's site, leading them to believe they are better.